use Gardener cert-manager instead of jetstack cert-manager (#1076)

.ci/component_descriptor

@@ -38,6 +38,8 @@ ${ADD_DEPENDENCIES_CMD} \
     --component-dependencies \
     '{"name": "github.com/gardener/external-dns-management", "version": "'$(jq -r ".versions[\"dns-controller-manager\"].version" <<< $DEP_VERSIONS)'"}' \
     --component-dependencies \
+    '{"name": "github.com/gardener/cert-management", "version": "'$(jq -r ".versions[\"cert-management\"].version" <<< $DEP_VERSIONS)'"}' \
+    --component-dependencies \
     '{"name": "github.com/gardener/sow", "version": "'$SOW_VERSION'"}' \
     --container-image-dependencies \
     '{"image_reference": "eu.gcr.io/gardener-project/sow:'$SOW_VERSION'", "version": "'$SOW_VERSION'", "name": "sow"}'

.ci/set_dependency_version

@@ -54,6 +54,8 @@ elif dep_name == 'github.com/gardener/terminal-controller-manager':
     set_dep_version(dep_version, 'versions', 'dashboard', 'terminals', 'terminal-controller-manager', 'version')
 elif dep_name == 'github.com/gardener/external-dns-management':
     set_dep_version(dep_version, 'versions', 'dns-controller-manager', 'version')
+elif dep_name == 'github.com/gardener/cert-management':
+    set_dep_version(dep_version, 'versions', 'cert-management', 'version')
 elif dep_name == 'github.com/gardener/sow':
     with sow_version_file.open(mode='w') as f:
         f.write(dep_version)

acre.yaml

@@ -221,20 +221,10 @@ landscape:
     cert-manager:
       controller:
         <<: (( merge ))
-        tag: (( valid( branch ) -or valid( commit ) ? ~~ :helm_tag )) # only used for CRDs
-        repo: "https://github.com/jetstack/cert-manager.git"
-        helm_repo: "https://charts.jetstack.io"
-        helm_tag: "v1.8.1"
-      cainjector:
-        <<: (( merge ))
-        tag: (( valid( branch ) -or valid( commit ) ? ~~ :cert-manager.controller.helm_tag ))
-        image_tag: (( valid( tag ) ? tag :~~ ))
-        image_repo: (( ~~ ))
-      webhook:
-        <<: (( merge ))
-        tag: (( valid( branch ) -or valid( commit ) ? ~~ :cert-manager.controller.helm_tag ))
+        tag: (( valid( branch ) -or valid( commit ) ? ~~ :.dependency_versions.versions.cert-management.version ))
         image_tag: (( valid( tag ) ? tag :~~ ))
         image_repo: (( ~~ ))
+        repo: (( .dependency_versions.versions.cert-management.repo ))
       cert-dns-bridge:
         <<: (( merge ))
         tag: (( valid( branch ) -or valid( commit ) ? ~~ :"2.1.0" ))

components/cert-manager/cert/component.yaml

@@ -1,7 +1,6 @@
 ---
 component:
   imports:
-    - cert-manager/solver
     - cert-controller: cert-manager/controller
     - namespace
     - ingress-controller

components/cert-manager/cert/deployment.yaml

@@ -18,15 +18,18 @@ plugins:
 cert:
   kubeconfig: (( .landscape.clusters[0].kubeconfig ))
   manifests:
-    - apiVersion: cert-manager.io/v1
+    - apiVersion: cert.gardener.cloud/v1alpha1
       kind: Certificate
       metadata:
         name: (( .settings.certificate.name ))
         namespace: (( .settings.certificate.namespace ))
+        annotations:
+          cert.gardener.cloud/class: (( imports.cert-controller.export.certClass ))
       spec:
-        secretName: (( .settings.certificate.secret_name ))
-        renewBefore: 360h # 15d
-        dnsNames: (( .settings.certificate.domains ))
+        commonName: (( .settings.certificate.domains[0] ))
+        dnsNames: (( .settings.certificate.domains[1..] ))
+        secretRef:
+          name: (( .settings.certificate.secret_name ))
+          namespace: (( .settings.certificate.namespace ))
         issuerRef:
           name: (( imports.cert-controller.export.issuerName ))
-          kind: ClusterIssuer

components/cert-manager/cert/export.yaml

@@ -12,12 +12,11 @@ wait_for_certificate:
     - "-n"
     - (( .settings.certificate.namespace ))
     - "get"
-    - "certificate.cert-manager.io"
+    - "certificates.cert.gardener.cloud"
     - (( .settings.certificate.name ))
     - "-o"
     - "json"
-  result: (( sync( exec_uncached( check_command ), defined( value.status.conditions[0].status ) -and value.status.conditions[0].status == "True", value, 600 ) ))
-  b64dall: (( |x|-> sum[x|{}|s,k,v|-> s {k=base64_decode(v)}] ))
+  result: (( sync( exec_uncached( check_command ), defined( value.status.state ) -and value.status.state == "Ready", value, 600 ) ))
 
 export:
   <<: (( .settings ))

components/cert-manager/controller/component.yaml

@@ -12,9 +12,9 @@ component:
     - lib/templates/state.yaml
 
   plugins:
-    - chart-checkout
+    - git
 
-chart-checkout:
-  repo: (( landscape.versions.cert-manager.controller.helm_repo ))
-  name: cert-manager
-  version: (( landscape.versions.cert-manager.controller.helm_tag ))
+git:
+  <<: (( landscape.versions.cert-manager.controller ))
+  files:
+    - charts

components/cert-manager/controller/deployment.yaml

@@ -4,14 +4,12 @@ landscape: (( &temporary ))
 utilities: (( &temporary ))
 
 settings:
-  groupName: cert-bridge.gardener.cloud
-  solverName: certificate-dns-bridge
   namespace: cert-manager # will be created - don't choose an existing one!
-  serviceAccountName: cert-manager
   self-signed: (( .caSpec.url == "self-signed" ))
   issuerName: (( .settings.self-signed ? "ca-issuer" :"acme-issuer" ))
   issuerPrivateKey: (( .settings.self-signed -or (! valid( .landscape.cert-manager.privateKey ) ) ? ~ :.landscape.cert-manager.privateKey ))
   caSecret: "self-signed-ca"
+  certClass: "garden-setup"
   ca:
     given: (( &temporary ( valid( .caSpec.ca.crt ) -and ( ( ! .settings.self-signed ) -or valid( .caSpec.ca.key ) ) ) )) # a given CA needs crt and key for self-signed mode
     crt: (( given ? .caSpec.ca.crt :( .state.ca.value.cert || ~~ ) ))
@@ -31,9 +29,8 @@ plugins:
       - helm
       - template
     - kubectl: helm
-  - webhookready
-  - -echo: (( .settings.self-signed ? ( .settings.ca.given ? "Using provided CA" :"Using self-signed CA" ) :"Using ACME server at " .caSpec.url ))
   - kubectl: issuer
+  - -echo: (( .settings.self-signed ? ( .settings.ca.given ? "Using provided CA" :"Using self-signed CA" ) :"Using ACME server at " .caSpec.url ))
 
 namespace:
   name: (( settings.namespace ))
@@ -42,14 +39,8 @@ namespace:
     - apiVersion: v1
       kind: Namespace
       metadata:
-        labels:
-          cert-manager.io/disable-validation: "true"
         name: (( .namespace.name ))
 
-webhookready:
-  kubeconfig: (( .landscape.clusters.[0].kubeconfig ))
-  namespace: (( .settings.namespace ))
-
 issuer: (( .settings.self-signed ? *ca_issuer :*acme_issuer ))
 
 issuer-secret:
@@ -61,32 +52,26 @@ issuer-secret:
       name: (( settings.issuerName "-secret" ))
       namespace: (( .settings.namespace ))
     data:
-      tls.key: (( base64(settings.issuerPrivateKey) ))
+      privateKey: (( base64(settings.issuerPrivateKey) ))
 
 acme_issuer:
   <<: (( &template &temporary ))
   kubeconfig: (( landscape.clusters.[0].kubeconfig ))
   manifests:
     - <<: (( valid( .settings.issuerPrivateKey ) ? *issuer-secret :~ ))
-    - apiVersion: cert-manager.io/v1
-      kind: ClusterIssuer
+    - apiVersion: cert.gardener.cloud/v1alpha1
+      kind: Issuer
       metadata:
-        name: (( settings.issuerName ))
+        name: (( .settings.issuerName ))
+        namespace: (( .settings.namespace ))
       spec:
         acme:
           server: (( .caSpec.url ))
           email: (( .landscape.cert-manager.email || .landscape.identity.users[0].email ))
+          autoRegistration: (( ! valid( .settings.issuerPrivateKey ) ))
           privateKeySecretRef:
-            name: (( settings.issuerName "-secret" ))
-          solvers:
-            - dns01:
-                webhook:
-                  groupName: (( settings.groupName ))
-                  solverName: (( settings.solverName ))
-                  config:
-                    dns-class: (( .imports.dns-controller.export.dns-class ))
-                    namespace: (( .imports.dns-controller.export.namespace ))
-                    ttl: (( .landscape.defaultTTL ))
+            name: (( .settings.issuerName "-secret" ))
+            namespace: (( .settings.namespace ))
 
 ca_issuer:
   <<: (( &template &temporary ))
@@ -101,13 +86,16 @@ ca_issuer:
       data:
         tls.crt: (( base64( .settings.ca.crt ) ))
         tls.key: (( base64( .settings.ca.key ) ))
-    - apiVersion: cert-manager.io/v1
-      kind: ClusterIssuer
+    - apiVersion: cert.gardener.cloud/v1alpha1
+      kind: Issuer
       metadata:
-        name: (( settings.issuerName ))
+        name: (( .settings.issuerName ))
+        namespace: (( .settings.namespace ))
       spec:
         ca:
-          secretName: (( .settings.caSecret ))
+          privateKeySecretRef:
+            name: (( .settings.caSecret ))
+            namespace: (( .settings.namespace ))
 
 
 servers:
@@ -123,7 +111,7 @@ helm:
   kubeconfig: (( landscape.clusters.[0].kubeconfig ))
   files:
     - "helm/rendered_charts.yaml"
-  source: "chart-checkout/charts/cert-manager"
+  source: "git/repo/charts/cert-management"
   name: cert-manager
   namespace: (( .namespace.name ))
   flags:
@@ -132,18 +120,15 @@ helm:
     image:
       repository: (( .landscape.versions.cert-manager.controller.image_repo || ~~ ))
       tag: (( .landscape.versions.cert-manager.controller.image_tag || ~~ ))
-    cainjector:
-      image:
-        repository: (( .landscape.versions.cert-manager.cainjector.image_repo || ~~ ))
-        tag: (( .landscape.versions.cert-manager.cainjector.image_tag || ~~ ))
-    webhook:
-      image:
-        repository: (( .landscape.versions.cert-manager.webhook.image_repo || ~~ ))
-        tag: (( .landscape.versions.cert-manager.webhook.image_tag || ~~ ))
-    serviceAccount:
-      create: true
-      name: (( .settings.serviceAccountName ))
-    installCRDs: true
+    createCRDs:
+      issuers: true
+      certificates: true
+    configuration:
+      dnsClass: (( .imports.dns-controller.export.dns-class ))
+      dnsNamespace: (( .settings.namespace ))
+      certClass: (( .settings.certClass ))
+      defaultIssuer: (( .settings.issuerName ))
+      issuerNamespace: (( .settings.namespace ))
 
 state:
   <<: (( &state(merge none) ))

components/dns-controller/deployment.yaml

@@ -107,3 +107,4 @@ spec:
       kubeconfigId: (( .landscape.name ))
       controllers: "dnssources,compound"
       ttl: (( .landscape.dns.ttl || ~~ ))
+      disableNamespaceRestriction: true

dependency-versions.yaml

@@ -83,6 +83,10 @@
     "dns-controller-manager": {
       "repo": "https://github.com/gardener/external-dns-management.git",
       "version": "v0.15.2"
+    },
+    "cert-management": {
+      "repo": "https://github.com/gardener/cert-management.git",
+      "version": "v0.10.4"
     }
   }
 }